Does ticket 19866 apply to Django 1.4
26 views
Skip to first unread message
yakka...@gmail.com
Dec 5, 2014, 12:15:41 AM12/5/14
to django...@googlegroups.com
Does ticket 19866 apply to Django 1.4? Reading through the notes, it seems it does but I'm still getting a 500 error. If not, is there a way to keep Django from returning a 500 error. I've found other people filtering these out. I don't want to filter them out.
I've got some hackers trying to exploit the wordpress /xmlrpc.php on my Django site. Most of the time they are coming back 404 but there are times I'm getting exceptions like:
-------------------------------
Traceback (most recent call last):
File "/usr/local/python2p7/lib/python2.7/site-packages/django/core/handlers/base.py", line 87, in get_response
response = middleware_method(request)
File "/usr/local/python2p7/lib/python2.7/site-packages/django/middleware/common.py", line 55, in process_request
host = request.get_host()
File "/usr/local/python2p7/lib/python2.7/site-packages/django/http/__init__.py", line 223, in get_host
"Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS)
<WSGIRequest
path:/wp/xmlrpc.php,
...
'HTTP_USER_AGENT': 'LWP::Simple/6.00 libwww-perl/6.04',...
'REQUEST_URI': '/wp/xmlrpc.php',
-------------------------------
Brian
Carl Meyer
Dec 5, 2014, 12:43:36 PM12/5/14
to django...@googlegroups.com
Hi Brian,
On 12/04/2014 10:15 PM, yakka...@gmail.com wrote:
>
> Does ticket 19866 <https://code.djangoproject.com/ticket/19866> apply to
1.4, but it is not fixed in 1.4; it was first fixed in 1.6 (you can see
this by following the link in the last comment to the GitHub commit that
fixed it, and then looking at the list GitHub gives you of the
branches/tags containing the commit). So it's not surprising that you're
seeing it as a problem in 1.4.
I think your options are a) upgrade to 1.6+, b) filter these reports, or
c) live with the reports.
Carl
On 12/04/2014 10:15 PM, yakka...@gmail.com wrote:
>
> Does ticket 19866 <https://code.djangoproject.com/ticket/19866> apply to
> Django 1.4? Reading through the notes, it seems it does but I'm still
> getting a 500 error. If not, is there a way to keep Django from returning a
> 500 error. I've found other people filtering these out. I don't want to
> filter them out.
I'm not sure what you mean by "apply to". That ticket is a problem in
> getting a 500 error. If not, is there a way to keep Django from returning a
> 500 error. I've found other people filtering these out. I don't want to
> filter them out.
1.4, but it is not fixed in 1.4; it was first fixed in 1.6 (you can see
this by following the link in the last comment to the GitHub commit that
fixed it, and then looking at the list GitHub gives you of the
branches/tags containing the commit). So it's not surprising that you're
seeing it as a problem in 1.4.
I think your options are a) upgrade to 1.6+, b) filter these reports, or
c) live with the reports.
Carl
Collin Anderson
Dec 6, 2014, 1:06:14 PM12/6/14
to django...@googlegroups.com
Hi Brian,
If you're behind nginx, you can filter the hostname there before it hits django. I usually add an empty server {} block at the beginning of my conf to act as the default and catch server host names that are not defined so they don't hit django.
Collin
Reply all
Reply to author
Forward
0 new messages